KQL Search

Query Details

HomeAI ToolsDevice Query

Defender XDR Exposure Management For CVE 2024 3094

Query

//DefenderXDR Exposure Management for CVE-2024-3094
//https://www.linkedin.com/posts/activity-7180041278829580288-I4hU/

//After reading so many infosec posts relating XZ, I decided to build this high precision KQL detection using the latest DefenderXDR exposure management capability to determine Azure internet facing Linux machines that has vulnerable compromised XZ and running SSHD which are susceptible to RCE attack. If you have this rule triggered, I would strongly suggest you quickly remediate your Linux VM.🫡

let DeviceWithVulnerableXZ =
DeviceTvmSoftwareInventory 
| where SoftwareName contains "xz"
| where SoftwareVersion contains "5.6."
| distinct DeviceName;
let DevicewithSSHD =
DeviceNetworkEvents
| where ActionType == "ListeningConnectionCreated"
| where LocalPort == 22
| distinct DeviceName;
ExposureGraphNodes
| where NodeLabel == 'device' or (Categories has 'virtual_machine' and set_has_element(Categories, 'virtual_machine'))
// Condition: Internet Facing with vulnerable XZ and running SSHD
| where NodeProperties.rawData.isInternetFacing == true
| where NodeName has_any (DeviceWithVulnerableXZ)
| where NodeName has_any (DevicewithSSHD)

Explanation

This KQL query is designed to identify Azure internet-facing Linux machines that are vulnerable to a specific security issue (CVE-2024-3094) and are running SSHD, which makes them susceptible to remote code execution (RCE) attacks. Here's a simplified breakdown of what the query does:

  1. Identify Devices with Vulnerable XZ Software:

    • It searches for devices that have the "xz" software installed with a version containing "5.6." and lists their names.

  2. Identify Devices Running SSHD:

    • It looks for devices that have created a listening connection on port 22 (the default port for SSHD) and lists their names.

  3. Filter for Internet-Facing Devices:

    • It then filters the devices to find those that are internet-facing, meaning they are accessible from the internet.

  4. Combine Conditions:

    • Finally, it combines the conditions to find devices that are both internet-facing, have the vulnerable "xz" software, and are running SSHD.

If this rule is triggered, it indicates that the identified Linux virtual machines are at high risk and should be remediated immediately.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

DeviceTvmSoftwareInventoryDeviceNetworkEventsExposureGraphNodes

Keywords

DevicesLinuxVirtualMachineSoftwareInventoryNetworkEventsExposureManagement

Operators

let|wherecontains==distinctorhasset_has_elementhas_any

Actions